On Sat, 3 Apr 1999, Grant Bayley wrote: | Hi folks, | | I've documented (with examples) a long standing bug in the AustNet IRC | network "Virtual World" service which masks user IP address/hostnames for | the purpose of preventing nukes and other fun things. The admins have | known about it for some time but seem to want to fix things like LoveOP | which sends lame love messages rather than helping their users stay | anonymous and secure, something they tout quite widely on their webpage. <snip> | I should mention in passing that other IRC networks like Xnet that offer | hostname/ip masking do not suffer from the same bug. It appears that the Relicnet IRC network, which just the other day implemented their version of 'vworld,' suffers from the same sort of vulnerability. Quick example: nyisles_ - islesat_private ircname - moderate rock... server - styx.us.relic.net [Dare thee cross the River of Hate?] idle - 0h 4m 52s nyisles_'s real hostname is jive.krad.org. When nyisles_ is /umode -i or on the same channel as the 'attacker,' and the attacker decides 'well i dont like this guy and wish to DoS him and/or try to exploit his machine,' he can simply host -l krad.org (as documented on the 2600.org.au site). Then, he can /who *<krad.org host here>* until he does, say, /who *jive* and get: * H nyisles_ [islesat_private] (styx.us.relic.net!0) thus, an attacker who assumes i am using jive.krad.org but wasn't sure has just been proven that that's really my host and can nuke the crap out of me or whatever. The same thing works on IPs - relicnet's IP masking is even easier to guess around since only the last number in the IP in a non-reversing IP is hidden (i.e. 209.52.169.7 becomes 209.52.169.000, and the attacker can just /who 209.52.169.1 209.52.169.2 etc. until he hits 209.52.169.7, and then bingo, the /who will respond with: * H nyisles_ [islesat_private] (styx.us.relic.net!0) and once again give away my real IP and remove my so-called 'blanket of security.') I verified this on others by telling one of the opers there his real hostname after he joined with () The-1-Law (blahat_private) joined channel #RelicNet since this ISP's nameservers didn't allow host -l queries, /msg nickserv list *dmrtc* gave me someone else's real dmrtc.net host as an example, and after about 30 seconds of /who guessing i had his real host (much to his dismay). There may be other vulnerable networks, so far xnet.org is the only network that uses a vworld-type system that i know of that *isn't* vulnerable. -=--=--=--=--=--=--=--=--=--=--=--=--=--=- Paul McGovern (nyisles) - islesat_private BSBW Public Library - Technical Assistant IRC Administrator - redemption.xnet.org IRC Administrator - krad.fef.net http://www.krad.org (under construction) -=--=--=--=--=--=--=--=--=--=--=--=--=--=-
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:41:36 PDT